Security Bug Bounty Program: We Want A Bulletproof Komodo

Technology can never be secure enough, and SuperNET believes that working with experienced security researchers across the globe is crucial in identifying weaknesses in any technology. If you find a security issue in our platform, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Disclosure Policy

Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to resolve the issue quickly.

Give us a reasonable amount of time to resolve the issue before making any disclosure to the public or a third-party.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

Public disclosure of vulnerability makes it ineligible for a bounty.

If you report an attack vector must be able to demonstrate it in test net.

To receive the bounty in full we also expect you to help us resolve the security issue, if necessary. The issue must be patched and deployed in the field before we pay any bounty. If an attacker exploits the bug before it is fixed we will not pay the bounty.

Issues that are already known about are not eligible for a bounty reward. We keep a record of all known attack vectors.

Exclusions

While researching, we’d like to ask you to refrain from:

Denial of service.

Spamming.

Social engineering (including phishing) of SuperNET staff or contractors.

Any physical attempts against SuperNET property or data centers.

Actively exploiting SuperNET or Komodo applications.

The Security Bounty

For now, our bug bounty program is limited to security bugs only, but if someone finds some other critical vulnerability, e.g. related to privacy, then we may discuss the possibility of a bounty. We define a security bug to be something which affects the blockchain, emission of KMD, economic damage, financial loss or other critical areas. Contact us if you are not sure.

The security bugs are divided into several groups depending on their severity. The decision about the severity of each bug and the final bounty size is decided entirely between the SuperNET development and security team members.

Update

Known Security Vulnerabilities These addresses are generated by hashing a description of a security vulnerability. They can be used to prove that a reported vulnerability was already known by our team.